Summary
Security Researchers published a new high severity privileged escalation vulnerability dubbed PrintNightmare, which exploits a known vulnerability (CVE-2021-1675) in the Windows Server Print Spooler service. This attack can provide full domain access to any windows server running the Print Spooler service, including Domain Controllers (DC) under a System context. A DC will typically have the Spooler service running as this is the recommendation from Microsoft to let them prune printers. To be able to use this exploit only requires authentication as a domain user.
The original vulnerability lists only Windows Server 2008 and 2012 as viable targets; however, the proof of concept video shows a Server 2019 being exploited. To further exacerbate this, the patches released on the 8th of June have been proven ineffective.
Affected systems:
- Windows Server (2004, 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 20H2)
- Windows (7, 8.1, RT 8.1, 10) (unconfirmed, and Windows firewall should protect these; more info to follow as it becomes available)
Mitigations:
Disable the Spooler service on all windows servers except for Print Servers. If no one is onsite and printing right now, perhaps consider also doing these as well for the time being.
The following script can be used to disable the Spooler service on all servers in a specific OU
$c = Get-Credential
$computers = Get-ADComputer -Filter * -SearchBase "OU=Server,DC=dom,DC=loc"
Invoke-Command -ComputerName $computers.name -Credential $c -ScriptBlock {
Set-Service spooler -StartupType Disabled
Stop-Service spooler -Force
}
Solution:
Current patches have been proven ineffective so disable the Spooler service is the best current solution.
Known patched (non-vulnerable) versions:
N/A
More information:
https://github.com/afwu/PrintNightmare
https://video.twimg.com/tweet_video/E5GOlYUXwAUyqzU.mp4
https://nvd.nist.gov/vuln/detail/CVE-2021-1675
https://twitter.com/arekfurt/status/1410223238064508928